FBI got 'a wake-up call' from Hanssen

FBI Agent Robert Philip Hanssen was a tough security problem: a rogue insider.

Bureau turns to other enforcement agencies, industry and Canada for security ideas

After investigating many cases of information theft, the FBI knows that insiders often pose the greatest threat. But the Robert Philip Hanssen case came as a surprise to those charged with securing the bureau's information.

'That was a wake-up call for us,' said Mark A. Tanner, FBI information resources manager. 'Post-Hanssen, we asked what we could have done differently.'

The renegade FBI agent used his almost unchecked access to sensitive data to moonlight as a Russian spy for more than 20 years, federal prosecutors said. He has pleaded guilty to 15 counts of espionage.

Tanner shared some of the lessons learned from the Hanssen case at an information assurance conference hosted last month by E-Gov in Washington.

'It is primarily an operational problem that we have,' Tanner said. 'Our policies were not that bad. The thing that we didn't do enough of was enforcement and administration of those policies.'

The greatest threat to the FBI's information resources is internal because the data flows over a network without Internet connections. 'We don't have connections to the outside world,' Tanner said.

Within the agency, access control was inadequate. 'It was in our procedures and practices where we fell down,' Tanner said.

Searching for better practices, FBI officials talked with the CIA, National Security Agency and Defense Department, as well as the Canadian Security and Intelligence Service, and a number of companies.

'Nobody was [completely] all right,' Tanner said, but the FBI did find practices that might be of help.

'We are identifying some procedures that are not in place and are causing concern,' Tanner said. 'We have a new emphasis on system certification and accreditation.' The bureau uses the National Information Assurance Partnership's certification and accreditation policy as its standard for certifying systems.

The FBI learned that the Canadian service does random audits of employee access records, much like random drug tests. The audits scrutinize an employee's use of electronic files, telecommunications and building access over a month's time. The FBI found it is important to look not only for unauthorized access but also at how information is used, even if the subject is authorized to use it.

On the human resources side, the FBI will begin offering career development training for security personnel. Security careers have not been seen as desirable, Tanner said.

On the technology side, 'We have identified the need for some technology to make things more secure' by letting owners of information track who has been using it. 'We are implementing some tools like that,' he said.

PKI on the way

Also under evaluation are tokens. 'We will use a public-key infrastructure,' Tanner said. 'It's a matter of how and when that will come.'

The FBI implemented a PKI pilot with the Justice Department's Drug Enforcement Administration about two years ago, Tanner said.

When an order for a wiretap is requested, a court considers past wiretaps of the subject in question. The FBI queries DEA records as well as its own for such information. In the past, this involved paper and faxing, but now it is electronic using PKI, Tanner said.

'It works well,' he said. 'It has gone beyond the pilot phase. It's operational, but a limited operation.'

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.